[SOLVED] Unable to generate commercial CSR

[patrick.herrington]

Hi

I'm using Zimbra Open Source v.5.0.18 on Ubuntu. I'm trying to generate a CSR to be used with a commercial CA.

Can this be done using zmcertmgr?
Does Zimbra have to have a local CA configured?
What are the proper steps?

I've be reading a number a white papers but I still cannot get it right.

Administration Console and CLI Certificate Tools - Zimbra :: Wiki

Recreating a Self-Signed SSL Certificate - Zimbra :: Wiki

5.x Commercial Certificates Guide - Zimbra :: Wiki

[Matuscak]

I've set up SSL on both the open source and network editions of Zimbra (5.0.18) recently and the CSR creation from the GUI didn't work right on either of them. I ended up using the shell to do it:

Code:

#!/bin/bash
#
# Generate Zimbra certificate signing request
#
# Needs to be run by root.

/opt/zimbra/bin/zmcertmgr createcsr comm -new \
 -subject "/C=US/ST=OH/L=YourTown/O=Your Organization/OU=Zimbra Server/CN=yourserver.example.com" -subjectAltNames yourserver.example.com

exit

Change the various names as needed, obviously. I used the resulting CSR with GoDaddy without a problem.

[patrick.herrington]

So I tried the command you suggested but it did not work, here is the output:

root@mail:/opt/zimbra/bin# ./zmcertmgr createcsr comm -new \ –subject "/C=CA/ST=ON/L=*****/O=********/OU=Information Services/CN=www.****.ca"
** Generating a server csr for download comm -new –subject /C=CA/ST=ON/L=****/O=*******/OU=Information Services/CN=www.****.ca
subj= –subject
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20090916055718
** Creating server cert request /opt/zimbra/ssl/zimbra/commercial/commercial.csr...failed.

Generating a 1024 bit RSA private key
.....................++++++
................++++++
writing new private key to '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
-----
Subject does not start with '/'.
problems making Certificate Request

** Saving server config key zimbraSSLPrivateKey...done.


I then Tried the command with a forward / after -new and here is the output:

root@mail:/opt/zimbra/bin# ./zmcertmgr createcsr comm -new / –subject "/C=CA/ST=ON/L=*****/O=*******/OU=Information Services/CN=www.*****.ca"
** Generating a server csr for download comm -new / –subject /C=CA/ST=ON/L=*****/O=*******/OU=Information Services/CN=www.*******.ca
subj=/
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20090916055810
** Creating server cert request /opt/zimbra/ssl/zimbra/commercial/commercial.csr...done.
** Saving server config key zimbraSSLPrivateKey...done.


The command generated a CSR but when I had a verisign support agent verify the content, he told me there was no distinguished name information in the CSR.

Anymore sujestion?
I've gone ahead and reinstalled Zimbra, hopefully this will fix my problem.

[Matuscak]

How about taking a look at the CSR that was generated:

# openssl req -noout -text -in commercial.csr

Does that match up with what you would expect?

[patrick.herrington]

Well thanks a lot for your help, we finally generate a good CSR.
We had to reinstall Zimbra and then run the following command:

root@mail:/opt/zimbra/bin# ./zmcertmgr createcsr comm -new -subject "/C=CA/ST=ON/L=*****/O=********/OU=Information Services/CN=www.*****.ca" -subjectAltNames www.*****.ca

I'm still unsure if we need the -subjectAltNames option but it worked so I'm not going to change anything.

So now on to installing the certificate, wish me luck.

[hocky]

I had the same error:
Subject does not start with '/'.

and the error disappeared after i added the
-subjectAltNames yourserverhere
option

[tmanternach]

Hocky--

Remove the -subject to fix it.

[tuanta]

Quote:

Originally Posted by patrick.herrington

Well thanks a lot for your help, we finally generate a good CSR.
We had to reinstall Zimbra and then run the following command:

root@mail:/opt/zimbra/bin# ./zmcertmgr createcsr comm -new -subject "/C=CA/ST=ON/L=*****/O=********/OU=Information Services/CN=www.*****.ca" -subjectAltNames www.*****.ca

I'm still unsure if we need the -subjectAltNames option but it worked so I'm not going to change anything.

So now on to installing the certificate, wish me luck.

This is exact what I need. I worked for me too.
Thank you very much